CVE-2020-4040: Cross-Site Request Forgery (CSRF)

June 8, 2020 (updated July 3, 2020)

Bolt CMS lacks CSRF protection in the preview generating endpoint. Previews are intended to be generated by the admins, developers, chief-editors, and editors, who are authorized to create content in the application. But due to lack of proper CSRF protection, unauthorized users could generate a preview.

References

nvd.nist.gov/vuln/detail/CVE-2020-4040

Detect and mitigate CVE-2020-4040 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →